Zoom
Discover installed Marketplace apps, OAuth bots/tokens and scopes, chat channels, meeting/webinar settings, cloud recordings/transcripts, webhooks and account/role policies. Govern non-human identities and their effective access — stop risky actions before impact.
What the connector discovers
- Marketplace Apps, Bots & Scopes
Installed apps (account/user), OAuth client grants, bot tokens (metadata), app owners, publish state, scopes (meeting:read, recording:read, chat:read, phone:read…).
- Meetings & Webinars (metadata)
Account/Group settings that impact risk: join-before-host, waiting room, passcodes, screen-share, recording, live streaming, breakout rooms, webinar panelists.
- Cloud Recordings & Transcripts (metadata)
Recording availability/retention, share links, password enforcement, transcription toggles; no media content ingestion required for discovery.
- Zoom Chat & Channels
Channels (public/private), memberships, external users, file-sharing controls, compliance archiving surfaces (metadata).
- Account, Roles & Policy Surfaces
Account-level settings, role-based permissions, group policies, account lockouts, SSO/SAML posture, webhook endpoints.
- Effective Permissions
Which app/bot can access which Zoom resources and actions (meetings, recordings, chat, phone, rooms) at the moment of action.
Zoom apps and policies control meetings, recordings and chat where sensitive content lives. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per app/bot; peer groups by team; detection of scope expansion, risky meeting defaults (join-before-host, recording on), public recording links, external chat exposure and anomalous usage bursts.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Minimize scopes for apps, revoke risky apps, and require JIT approvals before enabling recording/streaming or posting to sensitive channels.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after scopes, affected meetings/recordings/chats and owner context.
Connect Zoom
Use a Zoom **Server-to-Server OAuth** app (recommended) or an **OAuth** app with read-only scopes for discovery. JWT apps are deprecated by Zoom; prefer Server-to-Server OAuth.
- 1) Create a Server-to-Server OAuth app
Zoom App Marketplace → Develop → Build App → Server-to-Server OAuth. Record Account ID, Client ID and Client Secret.
- 2) Grant read scopes
Suggested (adjust per need): account:read:admin, role:read:admin, user:read:admin, meeting:read:admin, webinar:read:admin, recording:read:admin, chat_channel:read:admin, chat_message:read:admin (optional), phone:read:admin (optional), report:read:admin.
- 3) Add credentials in ClarioSec
Open the Zoom connector and paste Account ID, Client ID & Client Secret. ClarioSec handles OAuth token lifecycle per tenant.
- 4) (Optional) Webhook-only events
Configure an Event Subscription (e.g., app installed/updated, recording completed, meeting settings changed) to enrich governance.
High-value signals via Zoom REST APIs (metadata only):
- Installed apps/bots, OAuth client grants & scopes; owners and publish state
- Account, roles, groups and policy surfaces impacting meetings/webinars/chat
- Meetings/webinars settings, live-stream/recording toggles (no media ingest)
- Cloud recordings/transcripts metadata; sharing links and retention windows
- Chat channels and memberships; external participants; file controls
Endpoint family: Zoom REST APIs (Account, Users, Meetings, Webinars, Recordings, Chat, Roles/Reports) + Webhooks (optional).
- Over-privileged apps & dormant bots
Apps with broad scopes (recording:read, chat:write) unused or owned by deprovisioned users.
- Risky meeting defaults
Join-before-host, no waiting room, share screen by all, recordings auto-enabled without retention guardrails.
- Public recording links
Recordings set to public links or external access without password controls.
- External chat exposure
External users in sensitive channels, files posted without retention or DLP controls.
- Just-in-time approvals for new app installs & scope upgrades
- Automatic scope minimization & deprovisioning of dormant apps
- Recording sharing controls & retention alignment enforcement
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Zoom apps and bots at runtime?
Move from app posture to provable behavior — identity → scope → action → narrative.